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Jacobs Technology Inc. safety pilot Alex Flock pre-flights Elissa, NASA Armstrong’s autonomy testbed Elissa is shown in flight Jacobs Technology Inc. operations engineer Jan Scofield and 
NASA Armstrong’s autonomy testbed. during testing in March 2017. ground control operator Luke Guirguis conduct flight testing. 
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Trustworthy Autonomy 


Verifying a Highly Autonomous Unmanned Aircraft System (UAS) 
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Autonomy test team gathers around Elissa to discuss its next flight test. From right, Jeff Sutherland, 
) afety fo l rs | a rs | U ike a O aa O U S Alex Flock, Jan Scofield, Cameron Law, Ashraf Al-Hajjeh, and Luke Guirguis. Using a modified 
: ft ti | | fe commercial BirdsEyeView Aerobotics FireFLY6 UAS, the team is developing and testing a software 
= method for safely bounding the behavior of an autonomous aircraft in support of Federal Aviation 
al ae ra EXe C U Nn e re a WO r Administration (FAA) and American Society for Testing and Materials International (ASTM) 
ae S S re. a S regulatory development. VASA Armstrong Photo/Lauren Hughes 
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The Traveler Effort 


Trustworthy Autonomy 


Autonomy is a cross-cutting technology requiring a high degree of integration. As such, it must, to a large degree, 
be approached holistically. The Traveler effort approaches autonomy from this perspective. 


At the heart of the holistic approach is the premise that the conduct of any The definition of autonomy for 
safe flight operation follows certain fundamental rules: the purposes of this effort will be 


automatic decision making. 


1) The rules that govern safe and appropriate flight conduct remain 
unchanged to any reasonable mission that is to be conducted by 
any particular type of aircraft for a given airspace or concept of operations (ConOps) 

2) The rules of safety and appropriate flight must always out prioritize mission conduct 

3) Therules of safe and appropriate flight can be functionally decomposed, and once decomposed are to a 
large degree independent from one another 

4) When these individual rules are applied to specific situations in flight, they carry different levels of 
consequences if not followed 


To instantiate this premise, the Traveler effort has constructed a software framework that leverages run-time 
assurance (RTA) methods to assure safe operations. However, unlike previous RTA efforts, Traveler is developing 
an RTA architecture that monitors multiple functional areas simultaneously (termed a multi-monitor RTA or MM- 
RTA). MM-RTA coordinates the different functional areas with risk-based logic. This framework which the Traveler 
effort is calling the expandable variable-autonomy architecture (EVAA), is intended to be a software testbed for 
MM-RTA research. This approach uses MM-RTA methods to safely bound autonomous behavior, and thus relieves 
the requirement to certify the guidance logic for accomplishing the mission objective. Furthermore, EVAA is 
structured to allow the addition and removal of monitors, sensors and aircraft models with a minimum of V&V 
requirements. Thus, the EVAA framework should support any given ConOps on any given aircraft with a minimum 
of software tailoring and associated V&V. 


Safety assurance must be validated. To accomplish this, the Traveler effort heavily leverages flight-testing. 
Although simulation and analysis are used, the complex environmental situations that safety assurance must be 
proven under are not yet modelled well within simulations. Therefore, Traveler testing quickly moves to flight- 
testing during development. This use of flight-testing allows the tested system to be validated, and identifies 
simulation requirements and model improvements to assist future evaluations. 


The Traveler effort is executing a phased development and evaluation of EVAA. These phases are as follows: 


1) Formulate initial requirements focusing on 

a. Monitor control coordination for an MM-RTA 

b. Interface requirements for an MM-RTA 
2) Finalize development of an MM-RTA 

a. Identify sensor requirements 

b. Identify monitor requirements for a given ConOps 

c. Establish the methodology for making and airworthiness case 
3) Validate the MM-RTA findings 

a. Apply EVAA to 3 different aircraft and ConOps 

b. Successfully gain flight approval by making an airworthiness case based on the performance of an 

MM-RTA 


The Traveler effort is closely working with both the FAA and industry regarding EVAA development and evaluation. 
Findings from each phase are shared with the FAA to aid in their development of certification standards for 
autonomous aircraft. 


